Harden Windows Security v.0.7.2

What's New

This update is full of new features 🎉

Ability to Remove built-in pre-installed apps

Introduced the ability to remove built-in apps using the Harden Windows Security module. This functionality is available on a dedicated page. The list of removable apps is stored in a JSON file, providing flexibility and extensibility.

When apps are removed using the Harden Windows Security module, they are removed for all users, and they won't come back when you create a new user. They are re-installable from the Microsoft Store if necessary.

The JSON file currently includes 37 apps. More apps can easily be added to it in the future without requiring to modify the code.

Ability to Remove Individual Optional Windows Features and Capabilities

Added a new page for managing Optional Windows Features. While the Harden Windows Security module already includes an Optional Features category in the hardening measures section, this new page allows for granular control, enabling you to fine-tune which features to enable or disable. It also includes additional optional features that can be removed.

Online File Reputation Check via Smart App Control/SmartScreen through Microsoft Defender

Using Microsoft Defender, queries a file's reputation based on either the Smart App Control or SmartScreen, depending on whichever is in control. It doesn't need Admin privileges. It's in a new dedicated tab available in the GUI. Simply browse for a file and detect its reputation and some other advanced details. You can use this feature while other tasks in the Harden Windows Security module are running.

Added Reduced Telemetry Policies

Added reduced telemetry policies to the Miscellaneous Category in the Harden Windows Security module. They are a sub-category and include the following policies:

• Disable Online Tips. CSP

• Disable Find My Device feature. CSP

• Disable Automatic Update of Speech Data. CSP

• Turn off the advertising ID. CSP

• Turn off cloud optimized content. CSP

• Do not show Windows tips. CSP

• Do not show feedback notifications. CSP

• Turn off Automatic Download and Update of Map Data. CSP

• Disable Message Service Cloud Sync for cellular text messages. CSP

• Disable support for web-to-app linking with app URI handlers. CSP

• Disable "Continue experiences on this device" feature. CSP

• Disable Font Providers. CSP

• Don't search the web or display web results in Search. CSP

• Do not allow web search. More Info

AppControl Manager Installer Integration

You can now install the AppControl Manager right from the Harden Windows Security module. This is a very convenient way to install it as it only requires a click/tap of a button.

Other Changes

• Compliance Checking Enhancement: Added support for VBScript compliance checks.

• Code Improvements: Implemented several code enhancements and optimizations.

• UI Enhancements: Updated the button styles on the ASR Rules and Unprotect pages. The new design replaces the previous animated buttons with play icons, offering a cleaner and more modern look.

• Added description texts to the top of the pages.

• Changed Only Elevated Signed sub-category name to Only Elevate Signed, it was a typo.

• Updated the readme.

• Updated the demo gif to reflect the changes in the GUI.

---

Auto generated release notes 👇

• AppControl-Manager-DownloadLink-Version-Update-Version-1.8.2.0 by @github-actions in #500
• Implemented Apps and Windows Features Removal by @HotCakeX in #506
• Implemented online file reputation verification in the Harden Windows Security moulde by @HotCakeX in #507
• Added AppControl Manager native installer to the Harden Windows Security Module by @HotCakeX in #508
• Improved the bootstrapper script by @HotCakeX in #509
• Added reduced telemetry policies by @HotCakeX in #510

Full Changelog: AppControlManager.v.1.8.2.0...Hardening-Module-v.0.7.2

AppControl Manager 1.8.2.0

What's New

Important

How To Install: Copy and Paste this command in a PowerShell window as Admin. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• Added policy validation feature to the AppControl Manager. It's a dedicated page where user can browse for App Control XML files and validate them. Useful if user modified an XML file manually and wants to make sure the modifications are valid according to the official schema.

• A new page, View File Certificates, has been added. This page allows you to load any file and examine its certificates in a highly detailed format. It also supports CIP and CER files. Many of the details displayed for signed files, such as the TBS hash and precise identification of each policy type, are not readily available elsewhere.

• Added useful labels to the main navigation to offer a more categorized menu.

• Reduced the empty spaces in the documentation pages, dedicating more space to the web content.

• Added SHA3-384 and SHA3-512 hashes calculation to the Get Code Integrity Hashes page.

• Added new documentations for the new features.

• Set the minimum HTTP version to 2.0 so it no longer uses 1.1 as fallback and by default it tries the highest available version which is 3.0 at the moment.

• Added progress rings for each hash type in the Get Code Integrity Hashes page to display their individual progress.

---

Automated Change Logs

• Added XML policy file validation feature to the AppControl Manager by @HotCakeX in #495
• Added a feature to view advanced file cert details in AppControl Manager by @HotCakeX in #496
• Set minimum HTTP version to 2.0 by @HotCakeX in #497
• Version bump to 1.8.2.0 - AppControl Manager by @HotCakeX in #498
• Adding support for hashing very large file by @HotCakeX in #499

Full Changelog: Hardening-Module-v.0.7.1...AppControlManager.v.1.8.2.0

Note

As mentioned at the top, please refer to this page for installation instructions.

Harden Windows Security v.0.7.1

What's New

• During the compliance checking, MDM results that are not used by the module are no longer collected, improving the performance and speed, especially on lower end hardware.

• Adjusted the TLS Category's Intune Json config to match the new schema.

• Added a new sub-category for the TLS category, called "TLS for BattleNet". When selected, the TLS category will deploy the group policy that has the extra cipher suite TLS_RSA_WITH_AES_256_CBC_SHA which is less secure but required for BattleNet client to connect to its servers. Fixes -> #489

  • This means BattleNet client is no longer automatically detected on the system because there are times when it's installed in non-default location. Now the user is in control to decide whether to use the extra cipher suite or not.

• WDACConfig module is no longer used/installed for Downloads Defense Measures category. All the necessary logic for policy creation is now implemented natively. This substantially improves the performance and allows for full offline usage of this category and its sub-categories.

  • This also facilitates the deprecation of the WDACConfig module which is replaced with the new modern AppControl Manager.

PR: #494

AppControl Manager 1.8.1.0

What's New

Important

How To Install: Copy and Paste this command in a PowerShell window as Admin. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• Improved the UX (User Experience) in the Update page. When actions such as checking for update or installing a new version is happening, the page behind the update button becomes unavailable in order to keep things consistent.

• Improved the Allow New Apps page's experience. When filtering data from the DataGrids and then remove some items, they will show correctly after removing the filter.

• Also, in the Allow New Apps page when you reset, the path to the selected base policy will remain intact and you can begin creating a new policy right away for another program because the selected logs will be properly emptied.

• The app no longer allows the wrong certificate or common name to be used during signed policy deployment, re-deployment or removal. Such possible user accidents are caught very early on and communicated to the user with proper and clear messages so user can fix the mistake quickly. The goal is to never let AppControl Manager be used even intentionally to cause boot failure when dealing with signed policies.

  • Deployment of signed policies is very much recommended over unsigned ones, check this article to see why: https://github.com/HotCakeX/Harden-Windows-Security/wiki/The-Strength-of-Signed-App-Control-Policies

  • AppControl Manager is the only app that's currently available that makes it the safest way to interact with signed policies and it keeps getting better quickly.

• The content dialogs that ask for user input for signing scenarios have better visuals now, and the focus is by default on the Verify button, which makes it easier and clearer what needs to be done. It also means you can press the enter key on the keyboard quickly to confirm the actions without using mouse.

• Improved DataGrid experience when removing items in MDE Advanced Hunting and Event Logs pages.

---

• AppControl-Manager-DownloadLink-Version-Update-Version-1.8.0.0 by @github-actions in #486
• Improving documentations for the AppControl Manager app by @HotCakeX in #487
• Various UI improvements in the AppControl Manager by @HotCakeX in #490
• Implemented more guardrails for signed scenarios in AppControl Manager by @HotCakeX in #492

Full Changelog: AppControlManager.v.1.8.0.0...AppControlManager.v.1.8.1.0

Note

As mentioned at the top, please refer to this page for installation instructions.

AppControl Manager 1.8.0.0

What's New

First of all, Merry Christmas and Happy Hanukkah ^^ 🎄🕎

Important

How To Install: Copy and Paste this command in an elevated PowerShell. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• Improved the deployment page by adding flyouts to the browse buttons to display the files you select. The page is also augmented with the Sidebar so it supports quick policy file assignment.

• 🎉 You can now deploy signed policies in the deployment page.

• The system information page now allows the removal of all non-system policies. Whenever you select a policy, it will automatically detect the type of it and will take the appropriate action.

• Many guardrails have been put in place to guide the user during policy signing and signed policy removal in order to prevent accidents or boot failures when dealing with signed policies.

• Reduced the empty spaces at the top of certain pages.

• Made the remaining regex expressions throughout the code source generated and compiled for improved performance.

• 🎉 You can now seamlessly use the Allow New Apps page with signed policies. These policies are automatically recognized, and users are prompted to provide any additional information required for policy signing.

• The Microsoft Defender for Endpoint Advanced Hunting menu option has been moved out from under the Audit Event Logs Creation menu. It is now a primary menu entry, consistent with other main menu items.

• The Sidebar's auto-assignment feature is now enabled by default to streamline user interactions.

• The check for updates at app startup is now on by default. It simply checks to see if a new version of the app is available and informs the user if there is by showing a small dot on the update page's icon.

  • Both changes only apply to new app installations. If you've already toggled their buttons off then they remain off.

• 🎉 Added Microsoft Recommended Block Rules auto update mechanism to the Create Policy page. It uses a scheduled task that runs weekly to keep it up to date.

• Updated wiki documents to reflect the new auto update mechanism.

• Improved the app's name appearance in the title bar. It was too white in the light theme that made it hard to read.

• Added a horizontal separator line in the Code integrity information page to separate CI info from App Control info for better readability.

• 🎉 Added Application Control Status to the System Information page in the AppControl Manager.

  • It display the status of User Mode and Kernel Mode Application Control on the system. Valid values are:
    • Enforced Mode
    • Audit Mode
    • Disabled/Not Running

• 🎉 Improved the performance of file enumeration/indexing. This affects how fast files in a directory are found by the AppControl Manager.

Automated Release Notes

From now on each feature will have its own PR in order to make it easier to code review and track changes and to follow a more standard approach.

• AppControl-Manager-DownloadLink-Version-Update-Version-1.7.0.0 by @github-actions in #463
• Switch to file scoped namespace and other minor improvements by @HotCakeX in #465
• Bump Microsoft.Graphics.Win2D and Microsoft.WindowsAppSDK in /AppControl Manager by @dependabot in #468
• Bump actions/attest-build-provenance from 1 to 2 by @dependabot in #467
• Bump actions/attest-sbom from 1 to 2 by @dependabot in #466
• Implemented property pattern matching by @HotCakeX in #469
• Improving file enumeration in AppControl Manager by @HotCakeX in #470
• Added Application Control Status to the System Information page by @HotCakeX in #471
• Added Microsoft Recommended Block Rules auto update by @HotCakeX in #472
• Removed unused PowerShell logic belonging to WDACConfig by @HotCakeX in #473
• Configured default app settings by @HotCakeX in #475
• Implementing signed policy scenarios by @HotCakeX in #474
• Removing unused PowerShell logic for WDACCofig module by @HotCakeX in #483
• Adding signed policy support when allowing new apps in AppControl Manager by @HotCakeX in #482
• Improved Merge operation by @HotCakeX in #484

Full Changelog: AppControlManager.v.1.7.0.0...AppControlManager.v.1.8.0.0

Note

As mentioned at the top, please refer to this page for installation instructions.

AppControl Manager 1.7.0.0

What's New

Important

How To Install: Copy and Paste this command in an elevated PowerShell. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

Navigation

• New Sidebar: Added a sidebar on the right side of the app, hosting multiple useful features for improved accessibility and functionality.

• Search Bar Relocation: Moved the search bar to the center of the title bar for a more consistent experience with other Windows apps.

• Enhanced Search: Improved search functionality to support spaces after keywords for more accurate results.

• Resizable Navigation: Made the main navigation on the left side resizable with a draggable area for better customization.

• Breadcrumb Navigation: Introduced a breadcrumb bar that displays the current path and allows easy navigation to previous pages, similar to Windows Settings.

• Title Bar Enhancements: Added the app logo and app title to the title bar. The title is responsive and adapts to window width changes.

• Menu & Back Button Relocation: Moved the menu and back buttons to the title bar to make better use of available space.

• Sidebar Toggle Button: Added a button to the title bar to quickly open and close the sidebar. Its icon and text is dynamic based on the sidebar state.

• Navigation Bug Fix: Fixed an issue where the main navigation would become unresponsive to width changes if you switched the navigation style from "left" to "top" and back to "left" in the settings.

• Navigation Logic Improvements: Substantially improved the internal logic for the main navigation.

• Menu Selection Fix: Resolved an issue where navigating back to Settings or one of the footer pages using the back button wouldn't update the menu's selected item properly.

• Improved Menu Flyout in the System Information page -> #452

Sidebar

The AppControl Manager features a versatile Sidebar designed to streamline user interactions and enhance productivity. With the Sidebar, you can select a base policy path once and seamlessly reuse it throughout the app, eliminating the need to repeatedly browse for the file.

Pages within AppControl Manager that require an XML policy file automatically recognize when a path has been selected in the Sidebar. As you navigate to these pages, subtle indicators appear, prompting you to open the Sidebar and quickly access the pre-selected file path.

The Sidebar also includes a toggle switch that, when enabled, automatically assigns newly created base policy paths to the Sidebar. This feature further accelerates workflow and minimizes manual input.

By default, the Sidebar displays the XML policy path specified in the App settings, ensuring immediate access to the main policy you work with.

Dedicated document page

Deny Policy Creation

Use AppControl Manager to create Deny App Control policies. Keep in mind that App Control is inherently a whitelisting feature so anything that is not allowed by a policy is already automatically blocked.

All Deny policies have Base policy types as other types such as Supplemental cannot have Deny rules in them.

All Deny policies have 2 allow all rules so that anything not denied by them will be allowed. This is mandatory for the policy to work. This also allows Deny policies to be deployed side by side with other policies, because for a file to be allowed, it must be allowed by all deployed policies. Read more about side-by-side deployment here.

Continue reading here

Local File Scan

• Improved the local file scan feature to handle files with corrupt Opus data more effectively.

• Gracefully handles files with tampered certificates and hash mismatches by creating hash-based rules for them. Previously, such files would trigger an error, but they are now processed smoothly. When encountered during scans, these files are logged accordingly.

• Improved the local file scan feature to manage inaccessible, unavailable, and non-existent files, including OS drives, kernel-protected drives, files in use by other processes, and volatile or temporary files that no longer exist during the scan phase. Each of these files is logged with a clear reason for being skipped.

• Substantially enhanced file enumeration logic with more efficient, multi-threaded algorithms. For example, the entire OS drive containing millions of files can now be enumerated in a significantly shorter period of time. Use the Scalability gauge in Supplemental or Deny policy creation pages to control the number of threads used for file scans. Together, they allow you to create a policy for the entire OS drive in just a few minutes.

Other Changes

• The AppControl Manager can now be updated when installed on Windows Sandbox or when you try to use a custom MSIX file as update source on it.

• Adding, removing and setting rule options in the "Configure Policy Rule Options" page are now asynchronous and responsive. Also removed the text box that shows the selected XML policy path. The browse button's behavior is now consistent with the rest of the UI. You will see the selected file path after you use the browse button as a flyout with a clear button.

• Added depth and subtle shadows to the "Allow New Apps" page borders to make the currently active section more obvious.

Technical Changes

• Switched to file-scoped namespace declarations.

• Implemented new code style enforcements.

• Changed folder structures to match namespaces.

Note

As mentioned at the top, please refer to this page for installation instructions.

PR: #459

Harden Windows Security v.0.7.0

What's New

• Added Encryption Percentage, Protection Status, Key Protector and Encryption Method properties to the BitLocker tab's Backup section. Those properties are now displayed in the data grid for each drive and will be included in the backup file that you create. This is very useful when you need to view detailed info about the BitLocker protected drives on your system.

• Made Audit policy checks available for all System cultures instead of only supporting English-US. This is for the compliance checking feature.

• Improved buttons and their positions in BitLocker and Exclusions tabs.

• Added a short description to the Exclusions tab.

• Slightly improved the performance and speed of compliance checking.

• Made lots of performance, quality and security related improvements to the code base.

• Fixed this issue -> #449

• Added Long path support policy to the Miscellaneous Category's Intune JSON configuration.

• Added the following 3 new policies to the User Account Control Intune JSON configuration:

  • Behavior Of The Elevation Prompt For Administrator Protection: Prompt for credentials on the secure desktop
  • Type Of Admin Approval Mode: Admin Approval Mode with Administrator protection
  • Use Admin Approval Mode: Enabled

• Changed this policy in the User Account Control Intune JSON configuration:

  • Changed this from automatically Deny to "Prompt for credentials on the secure desktop": Behavior Of The Elevation Prompt For Standard Users Prompt for credentials on the secure desktop

• Updated the required PowerShell version from 7.4.4 to 7.4.5. The latest available version is 7.4.6 at the moment, which was released over a month ago.

PR: #453

AppControl Manager 1.6.0.0

What's New

Important

How To Install: Copy and Paste this command in an elevated PowerShell. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• The file and folder scans across the application now support parallel processing.

• The "Allow New Apps" page's progress ring will accurately display the progress of the selected folders' scan.

• Added a new radial gauge to the Supplemental policy creation page that lets you to choose the scalability of the scan which defines how many concurrent threads it can use to complete the scan. It also has a progress bar showing you the scan progress in real time.

• A new page has been added to the AppControl Manager, allowing you to merge multiple App Control policies into a single, unified policy. This feature has been custom-built exclusively for this application and it completely follows the Code Integrity schema's rules. The merging process ensures that the resulting policy is free of duplicate rules. Additionally, you have the option to deploy the merged policy immediately after the merge is complete. Read more about this feature in here.

• Added link to the source code which is in this repository to the end of the About section.

• Added link to the Icons8 website as credit to the end of the About section.

• Now you can select multiple folders at the same time when browsing for folders in "Allow New Apps" page and the list of the selected folders will show unique folders only.

• The automatic AppControlManagerSupplementalPolicy supplemental policy now also allows SignTool.exe via FilePublisher rule. This is necessary so that when the DefaultWindows base policy is deployed, SignTool.exe will be able to run to perform necessary signing operations.

• The automaticAppControlManagerSupplementalPolicy is no longer displayed by default in the System Information page. You can include it in the displayed policies by checking a box if you still want to see them, just like system policies. The reason is that it will be removed automatically when its associated base policy is removed so user doesn't need to take extra action anymore. This further simplifies policy management using the AppControl Manager app. Find more information about it in here

Technical Changes

• Main namespace rename.

• FilePicker Dialogs now use NativeAOT and Trim compatible code.

• CsWin32 no longer uses marshaling, necessary logic are implemented manually.

• Implemented lots of new code analyzers related to style and security.

• Switched to the new version 7 GUID generation in every part of the code.

• Removed an unnecessary package CommunityToolkit.WinUI.Behaviors from the app.

PR: #445

Please go back to the top of the release notes to see how to install AppControl Manager

AppControl Manager 1.5.2.0

What's New

Important

How To Install: Copy and Paste this command in an elevated PowerShell. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• Added support for Windows 11 build 23H2. This is in response to multiple community feedbacks that are always helpful and welcome. Closes #435
  • Now AppControl Manager is fully supported on Windows 11 23H2, 24H2 and Windows Server 2025
• Completely switched to source-generated LibraryImports, improving performance. => #433
• Implemented several new code analyzers that ensure a cleaner, safer, high performance and better code.
• Improved the scanned data result DataGrid in Supplemental policy creation page. Removed 3 unused columns that don't apply to local file scans, added 1 new column to display each scanned file's Opus data.

Overall, this is a relatively small update. Big changes are coming in version 1.6 with many new features!

In case you missed it, i posted a new video demoing AppControl Manager, check it out here
https://www.youtube.com/watch?v=SzMs13n7elE

PR: #441

AppControl Manager 1.5.1.0

What's New

Important

How To Install: Copy and Paste this command in an elevated PowerShell. (Technical explanation available here)

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

• Enhanced Parsing Logic for MDE Advanced Hunting: The CSV parsing process no longer relies on static column positions. Instead, it dynamically identifies the location of each field, ensuring accurate parsing regardless of column order changes in the CSV file, improving robustness for any future changes. Fixed -> #423

• Default Windows Template Policy: A new feature has been added to the policy creation page, enabling the creation of a default Windows template policy with ease.

• Integrated Documentation Links: Links to the latest AppControl Manager documentation have been added across relevant pages. Users can now quickly access step-by-step guides by clicking a dedicated button whenever guidance is needed.

• Fixed menu item text for MDE Advanced Hunting, it wasn't showing the full content.

• Made the navigation buttons in documentation pages more responsive.

• Improved the UX when using the log size and audit mode options in the Create Policy page.

PR: #424